Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/8/2021
10:00 AM
Amelia Ahlgren
Amelia Ahlgren
Commentary
50%
50%

An Answer to APP Scams You Can Bank On

Financial institutions' usual fraud-detection methods can't detect most authorized push payment (APP) scams, putting customers and banks at risk.

A coalition of organizations recently penned an open letter urging the UK government to include scams in its new Online Safety Bill.

Related Content:

3 Classes of Account Fraud That Can Cost Your Company Big Time

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Are Cyber Insurance Companies Assessing Ransomware Risk?

From the letter: "Online platforms play a pivotal role in enabling criminals to reach and defraud Internet users through the hosting, promotion, and targeting of fake and fraudulent content on their sites, including adverts that they make significant profits from."

The coalition's heart is absolutely in the right place. Consumers deserve better protection, and anyone who distributes, proliferates, or worse, profits from scam advertisements or content should indeed be held accountable.

But the unfortunate reality is that scam ads, emails, text messages, and phone calls continue to penetrate even the best-designed defenses.

When this happens — and it happens a lot — the communication, purportedly coming from a bank or government official, the police, or even a tax authority, drives an emotional response from the recipient.

Motivated by this emotion, as well as a sense of urgency and an inherent trust in the authority of the other party, duped consumers are spurred to act — often logging in to their own financial accounts to execute a transfer that "remedies the crisis." Banks call this authorized push payment (APP) fraud since the authorized user is the one making the transfer. For the layperson, it can simply be characterized as account transfer fraud.

In the United Kingdom alone in 2020, £479 million in losses reported by customers were attributed by banks to APP fraud, according to UK Finance.

The Challenge for Banks
The amount of losses is not a surprise. Just think about it: A bank's security stack must be able to decipher within milliseconds whether it's you or someone else knocking on the door to your online account.

But in the case of an APP scam, money is being transferred by the actual bank customer, who has been tricked into making a financial transaction, often transferring funds to accounts set up by scammers for this specific purpose in faraway places. In an APP scam, all of the bank's traditional modes of fraud detection — a trusted device, geolocation, IP address, and network — fall short.

What's worse, all the crucial elements of the setup occur outside the bank's purview — in places both online and offline that they can't track. They are completely blind to the scheme.

It's an incredibly confounding challenge for the banks (or anyone, frankly) as they try to stem losses and protect their customers.

Fining content distributors for taking in advertising dollars from scammers is a good place to start. But to protect vulnerable consumers, the banks also need a way to recognize that a scam is occurring, even though their anti-fraud systems are accurately detecting the legitimate customer operating within the account. The banks need a last line of defense at the spot where APP fraud occurs and traditional methods of security fail.

One such detection method that is rapidly being deployed to defeat these scams is behavioral biometrics. The technology got its wings confirming that the person behind a screen is who they claim to be — by continuously tracking swipes, taps, keystrokes, mouse movements, and other behavioral characteristics throughout an online session, and comparing them with preexisting customer profiles — all without interfering with the user's journey around the bank's website.

But beyond providing this kind of real-time, continuous authentication throughout a session, the latest advances in behavioral biometrics have enabled banks to recognize when a legitimate user is behaving as if under the influence of a scam, generally by deviating from their existing norms while navigating their websites.

A Challenge to Regulators
Given the effectiveness of such newly emerging technologies, regulators should also consider something more comprehensive than what the coalition proposes. For example, in addition to fining the content distributors, regulators could reward banks that adopt proven, innovative solutions, rather than relying on limited or outmoded security methods that have largely been compromised.

One way this could work is to require banks to disclose their APP fraud losses, with governments providing tax credits or other financial incentives where loss rates meet a predefined standard. The revenue lost to these incentives could be offset by fines generated from leaky content creators.

The Answer for Boards
Thanks to financial and logistical support from malevolent nation-states, today's fraudsters are becoming ever more resourceful and behaving more like criminal enterprises. Nefarious networks are rapidly replacing the standalone hacker, creating an arms race of sorts between cybercriminals and the banks whose defenses they seek to exploit.

This escalating threat has put cybersecurity front and center on corporate board agendas. With top-level responsibility now a fact of corporate life, it is hard to understand why any bank board would fail to adopt innovative technologies to achieve a secure and seamless online experience.

Amelia Ahlgren is EVP, Strategy and Operations, at BioCatch, where she is responsible for corporate strategy, development, and the BioCatch Client Innovation Board, a collective of forward-thinking banks seeking to leverage the unique attributes of behavioral data to solve ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises Are Assessing Cybersecurity Risk in Today's Environment
The adoption of cloud services spurred by the COVID-19 pandemic has resulted in pressure on cyber-risk professionals to focus on vulnerabilities and new exposures that stem from pandemic-driven changes. Many cybersecurity pros expect fundamental, long-term changes to their organization's computing and data security due to the shift to more remote work and accelerated cloud adoption. Download this report from Dark Reading to learn more about their challenges and concerns.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-44121
PUBLISHED: 2022-01-27
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2022-0372
PUBLISHED: 2022-01-27
Cross-site Scripting (XSS) - Stored in Packagist bytefury/crater prior to 6.0.2.
CVE-2022-0370
PUBLISHED: 2022-01-27
Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v.
CVE-2022-0387
PUBLISHED: 2022-01-27
Cross-site Scripting (XSS) - Stored in Packagist remdex/livehelperchat prior to 3.93v.
CVE-2022-22828
PUBLISHED: 2022-01-27
An insecure direct object reference for the file-download URL in Synametrics SynaMan before 5.0 allows a remote attacker to access unshared files via a modified base64-encoded filename string.